PBR Blocks Wi-Fi Controller Guest Portal

jcisne22 · ‎06-19-2020

I've applied PBR on my core switch (3850) on the Guest VLAN which routes Guest traffic to a different ISP rather than having it run on our production one, I need the Guest Users to authenticate on the UniFi-Controller which resides on the production network, which was what I was trying to block. I used the following config to create the PBR

Standard IP access list 7
10 permit 10.7.0.0, wildcard bits 0.0.255.255

route-map GUEST-POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): 7
Set clauses:
ip default next-hop 10.255.255.2

The UniFi-Controller IP is 10.1.2.213

Anything I can do to allow the Guest VLAN communicate with that one server?

paul driver · ‎06-19-2020

Hello

It seems you may have incorrect PBR stanza statement -

set ip default next-hop xx works ONLY when there ISN'T a valid route for the route table of the router if there is a valid route then normal routing take precedence so if this is the case then I suggest change that statement to show - set ip next-hop xxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jcisne22 · ‎06-19-2020

I thought with the 'Default Next-hop" it would check the routing table first, and then do a next-hop. Maybe I misunderstood.

I already did the change, but still blocks everything internally.

Georg Pauwen · ‎06-19-2020

Hello,

what is the Unifi controller for ? RADIUS authentication ? In that case, you could have an extended access list for your route map that permits e.g. port 1812 (UDP and TCP), and another extended access list that allows everything else.

The RADIUS ports match on the first permit statement, but since there is no next-hop, the routing table is being used. The rest of the traffic will be processed by the second permit statement.

access-list 101 permit tcp 10.7.0.0 0.0.255.255 host 10.1.2.213 eq 1812
access-list 101 permit udp 10.7.0.0 0.0.255.255 host 10.1.2.213 eq 1812
!
access-list 102 permit ip 10.7.0.0 0.0.255.255 any

!

route-map GUEST-POLICY permit 10
match ip address 101
!
route-map GUEST-POLICY permit 20
match ip address 102
set ip next-hop 10.255.255.2

jcisne22 · ‎06-19-2020

The UniFi controller will allow the wireless guests users to accept the Terms and conditions. It just needs the portal.

paul driver · ‎06-19-2020

Hello

Leave the new PBR statement inplace for now but verify your routing and wifi environment - is this 3850 a converged wlc?
Can you post in an attached file the running configuration of this 3850 along with any network topology diagram you may have.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎06-20-2020

Hello,

if you don't know what protocol and/or port on the portal needs to be accessed, just let the clients access the entire server:

access-list 101 permit ip 10.7.0.0 0.0.255.255 host 10.1.2.213
access-list 101 permit ip 10.7.0.0 0.0.255.255 host 10.1.2.213
!
access-list 102 permit ip 10.7.0.0 0.0.255.255 any

!

route-map GUEST-POLICY permit 10
match ip address 101
!
route-map GUEST-POLICY permit 20
match ip address 102
set ip next-hop 10.255.255.2